For those of you who know me, Henry was my basset hound, and the fictitious name used during (ahem) special research. I'm a former intelligence officer, a professional analyst, and a blogger since 2004 writing about my experiences on the journey --information security, cyber intelligence, education, thoughts. Some love my writings others hate it. If you like it, follow me!

Tuesday, November 25, 2014

Several Ukrainian hacktivist groups were (are) active on the Ukrainian side of the battle this year in their ongoing conflict with Russia. As Eugene Dokukin and his "Ukranian Cyber Forces" are pretty open on what they are doing, let's look at their 13 stragegies, as there appear to be striking similarities to what CyberBerkut is doing on the Russian side. Also interesting to consider is how these groups manage to keep doing things that are more than likely illegal in their countries, and how the military can use them when needed.

Background: “Ukrainian cyber forces and individual pro-Ukrainian hackers have maintained online attacks on all Internet resources linked to insurgents in the eastern part of the country, whom the Kyiv (Kiev) government deems as terrorists. As of early November, the cyber forces claimed to have downed 46 sites belonging to the breakaway pro-Russian states of the Lugansk People’s Republic (LNR) and the Donetsk People’s Republic (DNR) via multiple denial-of-service (DDoS) attacks. The cyber warfare operation, titled “Retribution,” has been ongoing since mid-2014. Last month, pro-Ukrainian hackers leaked secret documents from the DNR, representatives of Russian nationalist organizations in Crimea, and representatives of government agencies from the Russian Federation. http://uadn.net/2014/11/17/pro-ukrainian-cyber-forces-take-down-46-separatist-sites-and-target-online-money-accounts/

Pro-Ukraine hackers target e-currency accounts. The anti-insurgency cyber campaign has also moved beyond site attacks, with hackers targeting the financial networks of the DNR and LNR. A hacker at the forefront of pro-Ukraine cyber warfare efforts, Yevgeny Dokukin, has announced on his Facebook page that he managed to convince Russian online payment service Yandex Money to block the e-wallet of a notable group of DNR and LNR supporters last month. “Via my actions, I managed to stop the financing of terrorism through the Yandex Money system,” noted Dokukin via social media. However, fellow Russian electronic currency service WebMoney refused to cooperate with his blocking request. http://uadn.net/2014/11/17/pro-ukrainian-cyber-forces-take-down-46-separatist-sites-and-target-online-money-accounts/

Operation “Bond, James Bond” - espionage operation, which involves listening to and recording audio and video information from the various headquarters of terrorists and webcams in Donbass and Crimea.

Operation “Turn off the Propaganda” - opposition to videos from terrorists on YouTube and other video hosting sites.

Operation “Crimea is Ukraine” - the return of control over all the Crimean government sites (preferably all Crimean sites in the domain zone ua). And spreading propaganda in Crimea through these sites.

Operation “Hunting for Trolls” - blocking accounts, pages and groups of terrorists and trolls in social networks.

As we can see some of these methods are copied from what (pro)Russian cyber forces were using earlier these year against Ukrainians. Like CyberShtorm, CyberStorm 2 and CyberHurricane are similar in effect to Telephony Denial of Service (TDoS) attacks that we reported earlier... Only this time it's the Ukrainian side which using it.

Eugene Dokukin is now open about his identity and gives interviews. When asked how they do things which are illegal according Ukrainian law he smiles: “Most of our work is legal. Closing accounts, websites and other resources of terrorists through complaints to electronic payment system, domain and hosting providers, etc. - it's all legal. The only question may arise about hacking: hacking sites, email and social network accounts, as well as DDoS attacks on websites terrorists. But officially, I don't know who of all of the fighters does it.” (http://uapress.info/ru/news/show/48475- in Russian)

In general Eugene Dokukin says that there're three levels in his forces: those volunteers who do legal things like Wikipedia editing and writing complains to providers, those who do illegal but simple things like DDoS attacks and other flooding, and the highest level on his group are people who do real hacking.

Speaking about his enemies Eugene Dukinin cites SBU head Valentin Nalivaychenko information that in Russian
FSP 18th Special Center there are 1500 personnel working full day use automatic systems for social networks to send messages and texts spreading panic. (http://uapress.info/ru/news/show/48475- in Russian)

He has a “white hacker” background (http://www.interpretermag.com/hackers-join-in-the-struggle-for-crimea/). Before creating Ukrainian Cyber Forces Eugene Dokukin was active in March fighting Russian invasion. He hacked Crimean Parliament site and posted "The referendum is canceled. Crimea continues to be a part of Ukraine. Everyone can go home, and Russian troops can return to their country." A few days later Dokukin also “dismissed” pro-Russian Crimean leaders Aksenov (prime-minister) and Konstantinov (speaker). Ukrainian Cyber Forces recent efforts to block pro-Russian financing claim to close 128 terrorists accounts with over 1 Million $. (http://uapress.info/ru/news/show/48475- in Russian)

Ukrainian law enforcers know Eugene Dokukin and his group. They don't give him visible troubles for his activities which are not according to law. Neither they confirm he is working for the government. But speaking anonymously one of the law enforcers said to Focus.UA: “Intelligence agencies often use the services of hackers in exchange for a guarantee of immunity. This does not mean that it's how things are in the Dokukin's case. But one can easily frame him: the bank will order a security audit - "network vulnerability pentesting" and the contract is made. But one security officer in the bank is told about it, others - no. The latter, seeing the external interference, scanning and active attempts to crack, report to authorities about unauthorized access to the system. And then the hacker will be "proving long and tedious that he is white and innocent." ( http://focus.ua/country/319358/ - in Russian)

Monday, November 24, 2014

Wapack Labs tracks cyber activities between Ukraine and Russia with the idea that that there will be lessons that we can all learn from, taking those lessons to our defenses. This piece was published by an analyst in Wapack Lab's EURASIA analysis effort. The analyst, a non-English speaker has a rough writing style but the content always offers amazing insights.

Enjoy.

Jeff

NATO cyber exercises & regional tensions

Published 11/24/14

Annual NATO cyber exercises "Cyber Coalition 2014" attracted a lot of attention: NATO estimates global cyber crime makes a profit of $1 TRN a year - equivalent to the narcotics trade. NATO's computer servers are detecting 200 million suspicious cyber events every single day, the alliance has revealed. On average the military organisation is the victim of five major cyber attacks each week and that has increased "significantly" since Russian aggression in Ukraine started. https://uk.news.yahoo.com/natos-cyber-war-games-amid-surge-attacks-020403587.html

http://img.rt.com/files/news/21/49/80/00/8.si.jpg

NATO carried out its biggest ever cyber security exercise
involving hundreds of computer analysts. The three-day event, taking in
28 nations, was held on a former Soviet base in the city of Tartu,
close to the Russian border. Estonia, the host nation, was attacked by
Russian hackers in 2007. Banking systems, newspaper production and
national websites were all affected. Since then the country has invested
heavily in cyber capability and is now one of the leading nations in
NATO. Estonia's president Toomas Hendrik told Sky News his country had
notice a surge in attacks since Russian aggression increased in Ukraine. He also revealed there had been a recent major attack on the country, but declined to reveal specifics. https://uk.news.yahoo.com/natos-cyber-war-games-amid-surge-attacks-020403587.html The
three-day cyber defence exercise Cyber Coalition 2014 tested the
Alliance’s ability to defend its networks from the various challenges.
It involved over 670 technical, government and cyber experts operating
from dozens of locations from across the Alliance and partner nations.
For the first time, representatives from academia and industry had been
invited as observers. https://ccdcoe.org/centre-contributes-natos-largest-ever-multinational-cyber-defence-exercise.html Financial
Times in the article “Nato holds largest cyber war games” gives the
idea of exercises and connection to Russian-Ukrainian military
conflict:From
barracks in Tartu, a team of around 100 soldiers and intelligence
officials on Monday began throwing sophisticated technical attacks at NATO teams across Europe and North America: Troops’ android phones were
hacked after a downloadable app turned out be hiding sophisticated
malware; an imaginary supplier of military equipment was found to have
had its own manufacturing process compromised, with security loopholes
built into its computer chips; a Nato emergency response team was flown
to Greece after one scenario in which the attackers succeeded in seizing
control of the systems running Nato’s Awacs surveillance aircraft – one
of the alliance’s most prized possessions.In
a particularly lurid cyber storyline, a senior NATO officer had his
family kidnapped and was then blackmailed into stealing huge amounts of
classified data from the alliance’s secure military networks.“Eventually,”
said Luc Dandurand, deputy director of the exercise, “[the
participants] work out that all these attacks are coming from a single
entity – it’s all from one nation state.” Officially,
the attacker was meant to be disrupting a Nato mission in a fictitious,
war-torn state in the Horn of Africa. In reality, the scenario was a
thinly disguised version of the threats confronting the alliance as a
result of the crisis in Ukraine. Russia, though never mentioned, loomed
large. In
one simulated attack, for example, the classified communications of the
general in charge of the fictitious Nato deployment were hacked. The
hackers then leaked the information to a global newspaper, which
promptly published the Nato military chief’s private declaration that
the war was unwinnable.That was eerily reminiscent of an episode in Kiev in February when a
candid conversation between US assistant secretary of state Victoria
Nuland and Washington’s ambassador to Ukraine, Geoffrey Pyatt, was
secretly recorded and leaked to the press.http://www.ft.com/intl/cms/s/0/9c46a600-70c5-11e4-8113-00144feabdc0.html